Compliance Manager & Data Protection Officer (DPO) in London

We are seeking an experienced and proactive Compliance Manager & Data Protection Officer (DPO) to lead and maintain our compliance, security and data protection frameworks. This role is critical in ensuring that our systems, data and processes meet regulatory, contractual and certification obligations while supporting commercial growth through strong governance, audit readiness and tender support.

You will act as the company's subject matter expert for information security compliance, UK and EU data protection, working closely with technical teams, leadership and external stakeholders to manage risk and promote a strong security culture across the organisation. Cezanne HR Limited is in a rapidly growing phase, so expect a dynamic and fluid environment with all of the opportunities and challenges this entails. This role will suit a proactive person who thrives on using their initiative, can come up with practical solutions when solving problems and is comfortable with ambiguity. The right candidate will be outcome-focused and adept at managing their own time and priorities to work with impact.

We are a remote-first company, and this role can be a remote role based within the UK or Ireland, or hybrid based in our London or Glasgow offices.

• Compliance & Information Security
  • Own and maintain the ISO27001 Information Security Management Systems (ISMS).
  • Lead and manage external audits and surveillance audits, including ISO27001 certification.
  • Plan and run internal audits and risk assessments.
  • Maintain policies, procedures and risk registers.
  • Ensure alignment with contractual, regulatory and customer security requirements.
  • Support adherence to additional security or compliance frameworks adopted by the organisation.
• Data Protection & DPO Duties
  • Act as the organisation's Data Protection Officer (DPO) in line with UK GDPR and EU GDPR requirements.
  • Monitor and advise on compliance with UK and EU data protection legislation.
  • Maintain and improve data protection policies, DPIAs, RoPA, and privacy governance.
  • Provide guidance on lawful processing, international transfers, and vendor risk.
  • Act as point of contact for regulators (e.g. ICO) and data subjects where required.
  • Respond to and manage Data Subject Access Requests (DSARs), Data Protection Impact Assessments (DPIAs) conducted by our customers and any other queries regarding potential data breaches, unauthorised disclosures, or risk based incidents.
  • Support incident response and breach management.
• Commercial Support
  • Support assurance activities such as due diligence responses, third party assessments, and customer security questionnaires.
  • Support sales and account teams with customer assurance and compliance evidence.
  • Maintain standard compliance documentation and security packs.
  • Participate in customer and supplier audits and due diligence processes.
• Continuous Improvement, Automation & AI Supported Compliance
  • Lead projects that modernise compliance processes including content management, workflow automation, data governance tooling, AI assisted risk assessments, and systemisation projects-aligned with the organisation's direction toward process automation.
  • Identify opportunities for self service models for customers, partners, and internal teams.
  • Drive continuous improvement initiatives to enhance efficiency, transparency, and scalability.
• Stakeholder & Training
  • Work cross-functionally to ensure alignment between privacy, security, HR, IT, product, operations, and commercial teams.
  • Deliver compliance and data protection training across the business.
  • Ensure staff training, awareness, and fair processing commitments are met.
  • Promote a strong security and privacy culture.
• Legal / Contractual Support
  • Review, interpret, and advise on NDAs, Data Processing Agreements (DPAs), and commercial contract clauses relating to security, privacy, and compliance.
  • Collaborate with commercial teams on RFP responses, contract negotiations, and customer risk assessments.
  • Ensure alignment between legal commitments and operational reality.

• Essential
  • Third level qualification in Law, Business, Cybersecurity, Compliance, Data Protection, IT, or related discipline; OR equivalent professional experience.
  • Strong working knowledge of UK GDPR and EU GDPR such as implementing and maintaining GDPR compliance and responding to DSARs, DPIAs, and regulatory queries.
  • Experience managing ISO 27001, Cyber Essentials, or similar compliance frameworks.
  • Strong understanding of information security controls, risk management, and governance.
  • Ability to interpret regulations and apply them pragmatically in a commercial SaaS environment.
  • Practical experience managing ISO27001 and leading certification audits and working with certification bodies.
  • Excellent written and verbal communication skills, capable of engaging confidently with internal stakeholders, customers, partners, suppliers, auditors, and regulators.
  • Experience responding to tenders, RFIs and customer security questionnaires.
  • Experience working in a technology led, SaaS based, or data driven environment.
• Desirable
  • Experience with additional frameworks (e.g. DORA, Cyber Essentials, EU AI Act).
  • Legal, data protection or information security qualifications (e.g. CIPP/E, CIPM, ISO27001 Lead Implementer).
  • Exposure to GRC tooling, automation systems, or AI governance frameworks.

• Confident advisor to senior stakeholders.
• Detail-oriented but commercially pragmatic.
• Comfortable working independently and setting priorities.
• Calm and methodical under pressure (especially during audits or incidents).

• 28 days holiday + bank holidays.
• A day off for your birthday.
• £250 working from home budget.
• Health Insurance, Life Assurance, and Income Protection.
• Employee assistance program.
• A culture built on flexibility and trust.
• Regular social events, remotely and in person.

Cezanne HR is an equal opportunity employer, and we value diversity at our company. We do not discriminate on the basis of race, religion, colour, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.